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WHAT'S COMING UP? 



v Contactless payments 


V 


What is EMV? 


V 


How does NFC fit in? 


V 


Threat vectors 


V 


Shielding inadequacy 


V 


Live fraud demo (x2!) 


V 


GuardBunny 
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CONTACTLESS PAYMENTS 



^ EMV: EuroPay, Mastercard, Visa 


^ JCB and AmEx joined later 


^ Europay bought by MasterCard in 2002 


^ Defines standards for next-gen payments 


V "Contactless" in USA 


^ "Chip and Pin" in Europe 


^ Same standard, different communications 


V NFC is a superset of "Contactless" 


^ Same over-the-air protocol, additional security 
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DO YOU HAVE A CONTACTLESS CARD? 

V You might be surprised... 

V Two "universal" symbols aren't always present 

V Other symbols are brand-specific 



%\\\ Visa, A/ 



DISC VER 

zipz 



expressV 



PWpass 
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NFC AND CONTACTLESS PAYMENT ? 

V NFC supports EMV-style contactless payment 

^ We BELIEVE keys are stored securely 

In the NFC chip on the phone 

^ Software reversing SHOULD NOT allow key recovery 

V NFC application on the phone must be active 

^ NFC is off when the screen is off (for Google Wallet) 
^ PIN number required to unlock the NFC app 

With settable timeout 

V Explicit lock after use is possible 

V Other than this, NFC is IDENTICAL to EMV 

Arguably more secure, arguably just as vulnerable 



T 



CONTACTLESS SECURITY 

^ Cards are "secure" 

JCOP smartcards are used 

V Readers are "secure" 

Again, secure microcontrollers and protected keys 

^ Protocol is "secure" 

Strong encryption (?) 

^ "Secure" in this context means: 

Cost of attack is larger than potential fraud gains 
Keys can ALWAYS be extracted given adequate budget 
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IS THE PROTOCOL SECURE? 

V Maybe, maybe not. 

V There doesn't appear to be mutual auth. 

V http://nosedookie.blogspot.com/2011/06/reading-chase- 
visa-paypass-credit-cards.html 

^ Read EMV cards from a non-EMV reader! 

V Do we get all the info? Not sure yet. 

V Some data is available 

V Some encryption is present 
^ More work is needed. 
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LEGACY PAYMENT INFRASTRUCTURE 

^ Payment terminals expect a "credit card number" 

^ As well as Other info: Customer name, CVV or other check digits 

^ Terminals always assume mag-stripes are used 

V Encryption is not supported 

^ Contactless payment readers have to work with 
this, so 

V A secure terminal... 

V ...speaks a secure protocol... 

V ...to a secure device... 

V ...and outputs a plaintext "card number" 
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CONTACTLESS FRAUD VECTOR 

^ Contactless readers are widely available 

^ Around $100 on various sites 

^ Let the reader handle whatever crypto is there 

V Completely transparent to the terminal 

^ Harvest the card number 

V Data is output via serial port 

^ Write card data to magstripe 

Use magstripe as a payment card 
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DOES THAT REALLY WORK? 



DEMO 1: Making a payment 
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CONTACTLESS FRAUD LIMITATIONS 

^ Contactless "check digits" change 

Unique check digits per-transaction 

^ Check digits are only used once 

If re-presented, disable RFID token 

^ Check digits follow a sequence 

If sequence is broken, disable RFID token 

^ Check digits are different than magstripe 

If check digits don't match, disable RFID token 

^ Some cards (AmEx) use different numbers 

One card number for magstripe, different number for RFID 
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DO THE PROTECTIONS WORK? 

^ Conducting multiple contactless transactions 

V Easy! Read the card multiple times. 

Only takes a few seconds per read 

V Old-style card fraud: 

V One magstripe good for multiple transactions 

^ New-style card fraud: 

V Multiple contactless cards, one transaction each 

^ Contactless skimming is far easier than magstripe 

Card never needs to leave the victims pocket 
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MULTIPLE TRANSACTIONS 



Demo 2: Read many times 
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UPPING THE CONTACTLESS ANTENNA 

^ High-power readers are possible 

V Contactless range is typically 3-5 inches 
^ That's using milliwatts of RF power 

V Contactless operates at 13.56MHz 

V There's a Ham band at 14MHz 

^ Slightly out-of-band amplifiers will work nicely 

^ High power is easy to obtain 

^ Antennas and receivers are harder 

^ Theoretical range limit: At least tens of feet I 
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CONTACTLESS DEFENCES 

Passive "shields" or metallic wallets: 

Only reduce the signal strength 

This will not block a high-powered reader 

We lab-tested a dozen different passive shields 

Reported for a large consumer magazine 

Significant inconsistency across samples, RFID 
bands W^M 

No shielding standards exist 

FIPS 201 is commonly cited, which simply says: 

"an electromagnetically opaque sleeve or other technology to 
protect against any unauthorized contactless access to 
information" 

http://csrc.nist.gov/publications/fips/fips201-l/FIPS-201-l-chngl.pdf (page 8) 
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PASSIVE SHIELDS 



Shield type 
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PASSIVE SHIELDS: CONCLUSIONS 

V No single product stood out as "The Best" 

^ Different leaders in all 3 bands 

^ Crumpling can raise or lower performance 

^ Could even depend on the RF band in use 

^ LOTS of variation on the market 

V @13.56MHz -50dB between best and worst! 

(That's 100,000x for non-radio folks) 

^ Lack of standards mean lack of consistency 

Recommend NONE of these products 
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SHIELDING FAILURES 



Demo 3: 125KhZ 
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. . GUARD BUNNY™ : A BETTER SHIELD 



V 


Passive shields don't work. 




Too unpredictable, can be overpowered 


V 


What about active shields? 


V 


GuardBunny™ has no CPU or memory 




V LOWER-power than the tag 


V 


It generates similar modulation to the RFID tag 




The reader can't tell us apart 


V 


More power in, more power out! 




VERY hard to overpower. 
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ACTIVE SHIELDING 
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CAN YOU HAVE ONE? 

^ Currently made of discrete SMDs on PCB 

^ Much more expensive than RFID tags :( 

^ Next step: ASIC production 

^ Will make it cheaper & even lower-power 

^ Forecast: 6-9 months 

V Happy to talk to engineers or fab owners 

(Or anyone else who can help us speed that up!) 



QUESTIONS? 

Kris@recursion.com 

@KrisPaget 
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